Employee Medical Information at Work: What HR Must Keep Confidential

When employee medical information lands on HR's desk, the question is usually not whether it feels sensitive. It obviously does. The real question is what HR is allowed to collect, where it should be stored, who can see it, and when it can be shared.

That is where many employers get tripped up.

In workplace settings, confidentiality rules around employee medical information are often driven less by casual assumptions about privacy and more by specific employment law requirements. The U.S. Equal Employment Opportunity Commission, or EEOC, states that employers must keep employee medical information confidential and maintain it in separate medical files. The EEOC also explains that after employment begins, disability-related inquiries and medical examinations generally must be job-related and consistent with business necessity. Meanwhile, the U.S. Department of Health and Human Services, or HHS, notes that HIPAA usually does not apply directly to employers or employment records, even though it does apply to covered health plans, providers, and clearinghouses.

For HR teams, the takeaway is simple: employee medical information needs to be handled carefully, access should be limited, and the rules depend on why the information was collected in the first place.

What counts as employee medical information?

Employee medical information can include more than a doctor's diagnosis.

In practice, this may include:

• medical exam results
• drug screening results
• doctor's notes
• fitness-for-duty documentation
• accommodation paperwork
• workers' compensation medical documents
• leave-related medical certifications
• vaccination or testing records when collected for an employment purpose

If the information relates to an employee's physical or mental condition, treatment, work restrictions, or ability to perform job duties, HR should treat it as sensitive medical information.

The basic rule: keep medical information confidential and separate

The EEOC states that employers must keep medical information obtained from disability-related inquiries or medical examinations confidential. It also says this information must be collected and maintained on separate forms and in separate medical files rather than in the standard personnel file.

That point matters more than it sounds.

If medical information is sitting in a general personnel folder, attached to a manager email chain, or stored in a shared HR drive with broad access, the employer may be creating unnecessary risk. Separate storage is not just a paperwork preference. It is part of the confidentiality framework under the ADA.

Who can access employee medical information?

Confidential does not mean no one can ever see it. It means access should be limited to people with a legitimate reason.

The EEOC explains that there are limited circumstances where disclosure may be allowed, such as:

• supervisors and managers who need to know about necessary work restrictions or accommodations
• first aid and safety personnel if the condition might require emergency treatment or special procedures
• government officials investigating compliance with disability law
• workers' compensation offices or insurance carriers where disclosure is authorized by applicable law

The key principle is minimum necessary workplace access. Most managers do not need the diagnosis. They usually only need to know the restriction, accommodation, or action required.

What HR should not do

This is where confidentiality problems usually show up.

HR should avoid:

• storing medical records in the general personnel file
• sharing diagnoses with managers who only need work restrictions
• discussing an employee's condition casually over email or chat
• collecting medical details that are not needed for the employment purpose at issue
• assuming that because information was volunteered, it can be circulated internally

The safest practice is to treat medical information like a need-to-know category, not a general HR reference file.

ADA rules matter more here than most people think

The EEOC makes clear that the ADA limits an employer's ability to ask disability-related questions or require medical examinations at different stages of employment. Before a job offer, employers generally cannot ask disability-related questions or require medical exams. After a conditional offer, employers may require medical examinations if they do so for all entering employees in the same job category. Once employment begins, disability-related inquiries and medical examinations generally must be job-related and consistent with business necessity.

This matters because the reason information was collected affects how it should be handled. If HR is requesting information to evaluate an accommodation, assess a fitness-for-duty issue, process a return-to-work question, or document a lawful post-offer exam, the employer should be able to explain why that information was needed.

What about HIPAA?

This is where people tend to get tangled.

HHS explains that the HIPAA Privacy Rule generally applies to covered entities like health plans, health care providers, and health care clearinghouses, not to employers acting in their role as employers. HHS also states that employment records held by an employer are not covered by HIPAA.

That does not mean employee medical information can be handled casually. It means employers should stop relying on "HIPAA" as a catch-all explanation and instead focus on the employment laws, confidentiality obligations, internal policies, and access controls that actually govern workplace medical records.

A simple way to think about it:

• HIPAA often governs the provider, health plan, or other covered entity
• ADA confidentiality rules often govern how the employer handles medical information in the employment context

Same health information. Different legal lane.

Where HR teams often run into trouble

Many confidentiality issues are operational, not intentional.

Common breakdowns include:

• accommodation records stored with general employee documents
• medical restrictions shared too broadly with supervisors
• leave certifications sent through unsecured or overly visible channels
• screening or exam results accessible to people outside HR, safety, or occupational health workflows
• inconsistent practices across multiple locations or business units

In other words, the problem is rarely a dramatic privacy scandal. More often, it is messy process design.

Practical steps HR can take now

A cleaner process goes a long way.

Here are five practical ways to reduce risk:

1. Store medical information separately

Use a dedicated medical file or restricted digital record, not the regular personnel file.

2. Limit access by role

Access should be based on job function and business need, not curiosity or convenience.

3. Share restrictions, not diagnoses, whenever possible

Managers usually need to know what they must do, not the employee's underlying condition.

4. Standardize intake and retention practices

Use consistent workflows for accommodation requests, return-to-work documentation, physical exams, and screening records.

5. Train HR and managers on confidentiality boundaries

A surprising amount of risk comes from people trying to be helpful while oversharing.

Why this matters for employers

Employee trust can disappear fast when medical information is handled carelessly. So can legal confidence.

For employers, protecting medical information is not just about avoiding complaints. It is also about building a workplace process that respects privacy, supports compliance, and helps HR respond consistently when accommodations, leave issues, screenings, or fitness-for-duty questions come up.

For organizations managing occupational health workflows across multiple locations, separate storage, limited access, and consistent documentation processes become even more important. That is where workflow design matters just as much as policy language.

Sources

• EEOC, Disability-Related Questions, Medical Exams, and Confidentiality
• EEOC, Enforcement Guidance on Disability-Related Inquiries and Medical Examinations of Employees under the ADA
• EEOC, Disability Discrimination and Reasonable Accommodation: Medical Inquiries, Leave, and Telework
• EEOC, Pre-Employment Inquiries and Medical Questions & Examinations
• EEOC, Disability Discrimination and Employment Decisions
• HHS, Employers and Health Information in the Workplace
• HHS, As an employer, I sponsor a group health plan for my employees. Am I a covered entity under HIPAA?
• HHS, Covered Entities and Business Associates